This poses interesting security questions, the biggest problem I think is that e.g. the comments overview page could now list comments attached to users, terms, nodes, commerce orders on the same list, from a single query. We don't have a generic entity_access query tag/API and even if we would, I'm not sure if we can design one that supports this use case.

The main question that I have for the security team is if the first suggestion would be ok, from a security perspective. Meaning that we would list those comments on the overview but non-linked and without a title. We could extend it a bit to only include an entity type filter (e.g. to include user, you need access profile permission, access content for nodes and so on. Not sure how to get that list, though.)